10.5: Use public keys with SSH in 10.5
Authored by: vdanen on Nov 05, '07 06:12:21PM

A few corrections.

You can't simply cat the public key over to a server if you haven't created the ~/.ssh directory first. You have to create the directory first. Also, simply catting it over isn't overly smart, and you could have it refuse to use the key due to insecure permissions. You should be doing:

scp ~/.ssh/id_rsa.pub user@server.com:~/

ssh user@server.com

mkdir .ssh && chown 0700 .ssh

mv id_rsa.pub .ssh/authorized_keys && chmod 0600 .ssh/authorized_keys

And you're right, the key needs to be on the other end first, before you get this dialog because this is add the key to the running ssh-agent. If there is no pubkey negotiation, ssh-agent isn't consulted at all, you're providing a straight password to the remote sshd server.

A good primer on using OpenSSH is here: Optimizing OpenSSH [linsec.ca]. I wrote it, it's a few years old, but still really relevant for OS X or Linux (servers or clients).

10.5: Use public keys with SSH in 10.5
Authored by: vdanen on Nov 05, '07 06:19:38PM

Oh, I also forgot to mention that if you're calling ssh-agent directly from a .bashrc or similar file on terminal startup, you may also not get this prompt. You'll know whether or not this is the case by doing:

$ env | grep SSH

If you see something like SSH_AUTH_SOCK=/tmp/launch-WsBdoO/Listeners then you're using the authentication socket started by launchd (presumably when you first login), if it's something else, then you've got some hunting to do in ~/.bashrc, ~/.bash_profile, ~/.zshrc, or whatever. Shouldn't be a problem for fresh installs, but if you're like me and connected to an SSHKeychain-driven ssh-agent in Tiger, then you might have some stuff to remove in those startup files.

10.5: Use public keys with SSH in 10.5
Authored by: vocaro on Nov 05, '07 08:37:09PM

Can someone please explain what exactly is "great" about this? I don't have Leopard, but I do have Tiger, which works perfectly fine with public key authentication. What exactly is different with SSH authentication in Leopard?

10.5: Use public keys with SSH in 10.5
Authored by: richardl on Nov 06, '07 05:46:26AM

When you generate your key, you have the option of creating a 'Passphrase' (This is like having a password for your private key). The problem when you define a passphrase is that you need to enter it everytime you authenticate with that key. The official way around this is to use a SSH Agent which will keep your passphrase in memory (There is Native SSH support for this, I use SSHKeychain which automates this process). The purpose of the tip is that with Leopard, the author states that SSH will keep a key's passphrase in the keychain .. but like the others, I could not make this happen.

10.5: Use public keys with SSH in 10.5
Authored by: richardl on Nov 06, '07 06:35:35AM

I take it back, It does work .. I had to disable sshkeychains global variable and log off and back on. I have multiple keys .. I initially had to 'ssh -i keyname userid@host' for it to save my key in the keychain.

10.5: Use public keys with SSH in 10.5
Authored by: jms1 on Nov 06, '07 06:53:00PM

The difference is that the 10.5 version of "ssh" now runs a process called "ssh-agent" in the background. This process CAN, but doesn't necessarily have to, hold the actual secret keys used to authenticate to the remote servers.

If you want the agent to hold your secret key (which means you won't have to type a password OR a passphrase to access remote servers) you can run "ssh-add" in a terminal window. It will ask you for the passphrase for the key, and then add the key to the agent.

Once this is done, whenever you connect to a server, the agent uses the key (now in memory) to automatically answer the server's challenges. If the agent doesn't have the key in memory, it pops up a window on the screen, asking for the passphrase. It then uses that passphrase to read and decrypt the secret key from the disk, uses the key to answer the challenge, then wipes both pieces of information (the key and the passphrase) out of memory.

I wrote a web page a few years ago which explains the whole process in a lot more detail- it's more geared towards Linux, but the programs involved (ssh, ssh-agent, ssh-add, etc.) are the same programs. The only difference is that the OSX version of ssh-agent knows how to pop up a GUI window to prompt you for the passphrase.

One interesting thing you can do with keys is "agent forwarding". The idea is that, from your workstation, you can ssh to "machine A", and then FROM THERE you can ssh to "machine B", and from there to "machine C", and so forth... and the socket back to the ssh-agent process on your workstation is carried along for the ride, which means the "ssh" process on machine B is able to send machine C's challenge back through a "side channel" all the way back to your workstation, and have the agent compute the answer to the challenge... all without machine A knowing, or caring, what was going on.

I normally use a program called "SSHKeychain". It works as a front-end for ssh-agent, with a GUI which allows you to manually add and remove keys without having to type "ssh-add" commands. The thing I like about it is that it can be configured so that when you enter the passphrase for a key, it automatically adds that key to the agent- which means I only have to type my passphrase once when I run my first "ssh" or "scp" command in the morning, or if I have to log out or reboot.